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Abstract 

Theoretical computer science has found fertile ground in many areas of 
mathematics. The approach has been to consider classical problems through 
the prism of computational complexity, where the number of basic compu- 
tational steps taken to solve a problem is the crucial qualitative parameter. 
This new approach has led to a sequence of advances, in setting and solving 
new mathematical challenges as well as in harnessing discrete mathematics to 
the task of solving real- world problems. 

In this talk, I will survey the development of modern cryptography — 
the mathematics behind secret communications and protocols — in this light. 
I will describe the complexity theoretic foundations underlying the crypto- 
graphic tasks of encryption, pseudo-randomness number generators and func- 
tions, zero knowledge interactive proofs, and multi-party secure protocols. I 
will attempt to highlight the paradigms and proof techniques which unify 
these foundations, and which have made their way into the mainstream of 
complexity theory. 
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1. Introduction 

The mathematics of cryptography is driven by real world applications. The 
original and most basic application is the wish to communicate privately in the 
presence of an eavesdropper who is listening in. With the rise of computers as 
means of communication, abundant other application arise, ranging from verifying 
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authenticity of data and access priveleges to enabling complex financial transactions 
over the internet involving several parties each with its own confidential information. 

As a rule, in theoretical fields inspired by applications, there is always a subtle 
(and sometimes not so subtle) tension between those who do "theory" and those 
who "practice". At times, the practitioner shruggs of the search for a provably 
good method, saying that in practice his method works and will perform much 
better when put to the test than anything for which a theorem could be proved. 
The theory of Cryptography is unusual in this respect. Without theorems that 
provably guarantee the security of a system, it is in a sense worthless, as there is 
no observable outcome of using a security system other than the guarantee that no 
one will be able to crack it. 

In computational complexity based cryptography one takes feasible (or easy) 
to mean those computations that terminate in polynomial time and infeasible (or 
hard) those computations that do not|^. Achieving many tasks of cryptography 
relies on a gap between feasible algorithms used by the legitimate user versus the 
infeasibility faced by the adversary. On close examination then, it becomes apparent 
that a necessary condition for many modern cryptographic goals is that NP ^ -P 0, 
although it is not known to be a sufficient condition. A (likely) stronger necessary 
condition which is also sufficient for many tasks is the existence of one-way functions: 
those functions which are easy to compute but hard to invert with non-negligible 
probability of success taken over a polynomial time samplable distribution of inputs. 

In 1976 when DifBe and Hellman came out with their paper "New Direction 
in Cryptography" announcing that we are "on the brink of a revolution in 
cryptoghraphy" hopes were high that the resolution of the celebrate P vs. NP 
problem was close at hand and with it techniques to lower bound the number of 
steps required to break cryptosystems. That did not turn out to be the case. As of 
today, no non-linear lower bounds are known for any NP complete problem^. 




Instead, we follow a 2-step program when faced with a cryptographic task 
which can not be proved unconditionally (1) find the minimal assumptions necessary 
and sufficient for the task at hand. (2) design a cryptographic system for the task 
and prove its security if and only if the minimal assumptions hold. Proofs of security 
then are realy proofs of secure design. They take a form of a constructive reduction. 
For example, the existence of a one-way function has been shown a sufficient and 
necessary condition for "secure" digital signatures to exist ^ To prove this 
statement one must show how to convert any "break" of the digital signature scheme 
into an efficient algorithm to invert the underlying one-way function. Defining 
formally "secure" and "break" is an essential preliminary step in accomplishing this 
program. 

^ We remark however that all security definitions (although not necessarily all security proofs) 
still make sense for a different meaning of 'easy' and 'hard'. For example, one may take easy to 
mean linear time whereas hard to mean quadratic time. ) 

^This is the celebrated unresolved NP vs. P problem posed by Karp, Cook and Levin in the 
early seventies. NP corresponds to those problems for which given a solution its correctness be 
verified in polynomial time whereas P corresponds to those problems for which a solution can be 
found in polynomial time. 

^ NP-complete problems are the hardest problems for NP. Namely, if an NP complete problem 
can be solved in polynomial time and thus be in P, then all problems in NP are in P. 
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These type of constructive reductions are a double edged sword. Say that sys- 
tem has been proved secure if and only if integer factorization is not in polynomial 
time. Then, either the system is breakable and then the reduction proof imme- 
diately yields a polynomial time integer factorization algorithm which will please 
the mathematicians to no end, or there exists no polynomial time integer factoriza- 
tion algorithms and we have found a superb cryptosystem with guaranteed security 
which will please the computer users to no end. 

Curiously, whereas early hopes of complexity theory producing lower bounds 
have not materialized, cryptographic research has yielded many dividends to com- 
plexity theory. New research themes and paradigms, as well as techniques orig- 
inating in cryptography, have made their way to the main stream of complexity 
theory. Well known techniques include random self-reducibility, hardness amplifi- 
cation, low degree polynomial representations of Boolean functions, and proofs by 
hybrid and simulation arguments. Well known examples of research themes include 
: interactive and probabilisticly checkable proofs and their application to show in- 
approximability of NP-hard algorithmic problems, the study of average versus worst 
case hardness of functions, and trading off hardness of computation for randomness 
to be used for derandomizing probabilistic complexity classes. 

These examples seem, on a superficial level, quite different from each other. 
There are similarities however, in addition to the fact that they are investigated by 
a common community of researchers, who use a common collection of techniques. 
In all of the above, an "observer" is always present, success and failure are defined 
"relative to the observer" , and if the observer cannot "distinguish" between two 
probabilistic events, they are treated as identical. This is best illustrated by exam- 
ples. (1) A probabilistically checkable proofs is defined to achieve soundness if the 
process of checking it errs with exponentially small probability (which is indistin- 
guishable from zero). (2) A function is considered hard to compute if all observers 
fail to compute it with non negligible probability taken over a efficiently samplable 
input distribution. It is not considered "hard" enough if it is only hard to compute 
with respect to some worst case input never to be encountered by the observer. (3) 
A source outputting bits according to some distribution is defined as pseudorandom 
if no observer can distinguish it from a truly random source (informally viewed as 
an on going process of flipping a fair coin) . 

1.1. Cryptography and classical mathematics 

Computational infeasibility, which by algorithmic standards is the enemy of 
progress, is actually the cryptographer's best friend. When a computationally diffi- 
cult problem comes along with some additional properties to be elaborated on in this 
article, it allows us to design methods which while achieving their intended function- 
ality are "infeasible" to break. Luckily, such computationally intensive problems are 
abundant in mathematics. Famous examples include integer factorization, finding 
short vectors in an integer lattice, and elliptic curve logarithm problem. Viewed this 
way, cryptography is an external customer of number theory, algebra, and geometry. 
However, the complexity theory view point has not left these fields untouched, and 
often shed new light on old problems. 
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In particular, the history of cryptography and complexity theory is intertwined 
with the development of algorithmic number theory. This is most evident in the 
invention of faster tests for integer primality testing and integer factorization psf 
whose quality is attested by complexity analysis rather than the earlier benchmark- 
ing of their performance. A beautiful account on the symbiotic relationship between 
number theory and complexity theory is given by Adleman Q who prefaces his ar- 
ticle by saying that "Though algorithmic number theory is one of man's oldest 
intellectual pursuit, its current vitality is unrivaled in history. This is due in part 
to the injection of new ideas from computational complexity." 



1.2. Cryptography and information theory 

In a companion paper to his famous paper on information theory. Shannon 
| |6^ introduced a rigorous theory of perfect secrecy based on information theory. 
The theory addresses adversary algorithms which have unlimited computational 
resources. Thus, all definitions of security, which we will refer to henceforth as 
information theoretic security, and proofs of possibility and impossibility are with 
respect to such adversary. Shannon proves that "perfectly secure encryption" can 
only exist if the size of secret information that legitimate parties exchange between 
them in person prior to remote transmission, is as large as the total entropy of secret 
messages they exchange remotely. Maurer generalized these bounds to two-way 
communications. This limits the practice of encryption based on information theory 
a great deal. Even worse, the modern cryptographic tasks of public-key encryption, 
digital signatures, pseudo random number generation, and most two party protocols 
can be proved down right impossible information theoretically. To achieve those, 
we turn to adversaries who are limited computationally and aim at computational 
security with the cost of making computational assumptions or assumptions about 
the physical world. 

Having said that, some cryptographic tasks can achieve full information the- 
oretic security. A stellar example is of niulti party computation. Efficient and 
information theoretic secure multi-party protocols are possible unconditionally tol- 
erating less than half faults, if there are perfect private channels between each pair 

33| . Statistical zero-knowledge proofs are another example 

MM- 

Perfect private channels between pairs of honest users can be implemented in 
several settings: (1) The noisy channel setting p5[ (which is a generalization of 
the wire tal channel ||75|] ) where the communication between users in the protocol 
as well as what the adversary taps is subject to noise). (2) A setting where the 
adversary's memory (i.e. ability to store data) is limited iQ. (3) The Quantum 
Channels setting where by quantum mechanics, it is impossible for the adversary to 
obtain full information on messages exchanged between honest users. Introducing 
new and reasonable such settings which enable information theoretic security is an 
important activity. 

Moreover, often paradigms and construction introduced within the computa- 
tional security framework can be and have been lifted out to achieve information 
theoretic security. The development of randomness extractors from pseudo random 



of honest users 
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number generators can be done in this fashion [|72[ . 

We note that whereas the computational complexity notions of secrecy, knowl- 
edge, and pseudo-randomness are different than their information theoretic ana- 
logues, techniques of error recovery developed in information theory are extremely 
useful. Examples include the Haddamard error correcting codes which is used to 



exhibit hard core predicates in one-way functions 1 28 , and various polynomial based 



error correcting codes which enable high fault tolerance in multi-party computation 
§. 

To sum up, the theory of cryptography has in the last 30 years turned into a 
rich field with its own rules, structure, and mathematical beauty which has helped 
to shape complexity theory. In the talk, I will attempt to lead you through a 
short summary of what I believe to have been a fascinating journey of modern 
cryptography. I apologize in advance for describing my own journey, at the expense 
of other points of view. I attach a list of references including several survey articles 
that contain full details and proofs ]4C| ]. 

In the rest of the article, I will briefly reflect on a few points which will make 
my lecture easier to follow. 



2. Conventions and complexity theory terminol- 
ogy 

We say that an algorithm is polynomial time if for all inputs x, the algorithm 
runs in time bounded by some polynomial in where the latter denotes the length 
of X when represented as a binary string. A probabilistic algorithm is one that can 
make random choices, where without loss of generality each choice is among two 
and is taken with probability 1/2. We view these choices as the algorithm coin 
tosses. A probabilistic algorithm A on input x may have more than one possible 
output depending on the outcome of its coin tosses, and we will let A{x) denote 
the probability distribution over all possible outputs. We say that a probabilistic 
algorithm is probabilistic polynomial time (PPT) if for any input x, the expectation 
of the running time taken over the all possible coin tosses is bounded by some 
polynomial in \x\, regardless of the outcome of the coin tosses. 

In complexity theory, we often speak of language classes. A language is a 
subset of all binary strings. The class P is the set of languages such that there 
exists a polynomial time algorithm, which on every input x can decide if x is in 
the language or not. The class BPP are those languages whose membership can 
be decided by a probabilistic polynomial time algorithm which for every input, 
is incorrect with at most negligible probability taken over the coin tosses of the 
algorithm. The class NP is the class of languages accepted by polynomial time non- 
deterministic algorithm which may make non-deterministic choices at every point 
of computation. Another characterization of NP is as the class of languages that 
have short proofs of memberships. Formally, NP = {L\ there exists polynomial 
time computable function / and A; > 0, such that a; € L iff there exists y such that 
f{x,y) = 1 and |y| < \x\''}. 
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In this article, we consider an 'easy' computation to be one which is carried 
out by a PPT algorithm. A function v: N ^ R is negligible if it vanishes faster 
than the inverse of any polynomial. All probabilities are defined with respect to 
finite probability spaces. 



3. Indistinguishability 

Indistinguishability of probability distributions is a central concept in modern 
cryptography. It was first introduced in the context of defining security of encryp- 
tion systems by Goldwasser and Micali Subsequently, it turned out to play a 
fundamental role in defining pseudo-randomness by Yao [fz^ , and zero- knowledge 
proofs by Goldwasser, Micali, and Rackoff js^. 

Definition 1 Let X — {Xk\k) Y — {Yfc} be two ensembles of probability distribu- 
tions on {0, 1}''. We say that X is computationally indistinguishable from Y 
*/V probabilistic polynomial time algorithms A, V c > 0, B/cq, s.i Vfc > fco, 

|^Pr^(A(t).l)-Pr^(^W^l)|<l. 

The algorithm A used in the above definition is called a polynomial time statistical 
test. 



Namely, for sufficiently long strings, no probabilistic polynomial time algo- 
rithms can tell whether the string was sampled according to X or according to Y. 
Note that such a definition cannot make sense for a single string, as it can be drawn 
from either distribution. Although we chose to focus on polynomial time indistin- 
guishability, one could instead talk of distribution which are indistinguishable with 
respect to any other computational resource, in which case all the algorithms A in 
the definition should be bounded by the relevant computational resource. This, has 
been quite useful when applied to space bounded computations |^ . 

Of particular interest are those probability distributions which are indistin- 
guishable from the uniform distribution, focused on in | |7^ , and are called pseudo- 
random distributions. 

Let U — {Uk} denote the uniform probability distribution on {0, 1}'^. That is, 
for every a G {0, 1}'', Pr^f^u^ [x^a] = ^. 

Definition 2 We say that X = {Xk}k is pseudo random if it is computationally 
indistinguishable from U . That is, V probabilistic polynomial time algorithms A, V 
c > 3ko, such that \fk > kg, 

I^PrJ^W^l]- PrJAW = l]|<l. 



// 3A and c such that the condition in definition 2 is violated, we say that X^ fails 
the statistical test A. 
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A simple but not very interesting example of two probability distributions 
which are computationally indistinguishable are two distributions which are statis- 
tically very close. For example, X — {Xk} defined exactly as the uniform distri- 
bution over {0, 1}''' with two exceptions, O''' appears with probability 2tstt and 1^ 
appears with probability Then the uniform distribution and X can not be 

distinguished by any algorithm (even one with no computational restrictions) as 
long as it is only given a polynomial size sample from one of the two distributions. 

It is fair to ask as this point whether computationally indistinguishability is 
anything more than statistical closeness where the latter is formally defined as 
follows. 

Definition 3 Two probability distributions X, Y are statistically close if Vc > 0, 
3fco such that yk > kg, 

J2\PriteX,)-J2{teU,)<l,. 
t t 

X and Y are far if they are not close. 

Do there exist distributions which are statistically far apart and yet are com- 
putationally indistinguishable? Goldreich and Krawczyk who pose the question 
note this to be the case by a counting argument. However their argument is non 
constructive. The works on secure encryption and pseudo random number genera- 
tors JsT] , [76[ imply the existence of efficiently constructive pairs of distributions 
that are computationally indistinguishable but statistically far, under the existence 
of one-way functions. The use of assumptions is no accident. 

Theorem 4 [ p5| The existence of one-way functions is equivalent to the existence 
of pairs of polynomial-time constructible distributions which are computationally 
indistinguishable and statistically far. 

4. Building blocks 

A central building block required for many tasks in cryptography is the ex- 
istence of a one-way function. Let us discuss this basic primitive as well as a few 
others in some detail. 

4.1. One-way functions 

Informally, a one-way function is a function which is "easy" to compute but 
"hard" to invert. Any probabilistic polynomial time (PPT) algorithm attempting 
to invert the function on an element in its range, should succeed with no more than 
"negligible" probability, where the probability is taken over the elements in the 
domain of the function and the coin tosses of the PPT attempting the inversion. 
We often refer to an algorithm attempting to invert the function as an adversary 
algorithm. 
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Definition 5 A function f: {0, 1}* {0, 1}* is one-way if: 

1. Easy to Evaluate: there exists a PPT algorithm that on input x output f{x); 

2. Hard to Invert: for all PPT algorithm A, for all c > 0, there exists ko such 
that for all k > ko, 

Pr[A(l^/(x))=z : /(a;) /(z)] < 1 

where the probability is taken over x € {0, 1}'' and the coin tosses of A. 

Note Unless otherwise mentioned, the probabihties during this section are calcu- 
lated uniformly over all coin tosses made by the algorithm in question. 

A few remarks are in order. (l)The guarantee is probabilistic. The adversary 
has low probability of inverting the function where the probability distribution is 
taken over the inputs of length fc to the one-way function and the possible coin 
tosses of the adversary. 

(2) The adversary is not asked to find x; that would be pretty near impossible. 
It is asked to find some inverse of f{x). Naturally, if the function is 1-1 then the only 
inverse is x. Wc note that it is much easier to find candidate one-way functions 
without imposing further restrictions on its structure, but being 1-1 or at least 
regular (that is, the number of preimage of any image is about of the range), it 
results in easier and more efficient cryptographic constructions. 

(3) One may consider a non-uniform version of the "Hard to invert" require- 
ment, requiring the function to be hard to invert by all non- uniform polynomial 
size family of algorithms, rather than by all probabilistic polynomial time algo- 
rithms. The former extends probabilistic polynomial time algorithms to allow for 
each different input size, a different polynomial size algorithm. 

(4) The definition is typical to definitions from computational complexity the- 
ory, which work with asymptotic complexity — what happens as the size of the prob- 
lem becomes large. One-wayness is only asked to hold for large enough input lengths, 
as k goes to infinity. Per this definition, it may be entirely feasible to invert / on, 
say, 512 bit inputs. Thus such definitions are useful for studying things on a basic 
level, but need to be adapted to be directly relevant to practice. 

(5) The above definition can be considerably weakened by replacing the second 
requirement of the function to require it to be hard to invert on some non- negligible 
fraction of its inputs (rather than all but non-ncgiigible fraction of its inputs ). 
This relaxation to a weak one-way function is motivated by the following example. 
Consider the function / : Z x Z Z where f{x,y) = x ■ y. This function can 
be easily inverted on at least half of its outputs (namely, on the even integers) 
and thus is not a one-way function as defined above. Still, / resists all efficient 
algorithms when x and y are primes of roughly the same length which is the case 
for a non-negligible fraction (« p-) of the fc-bit composite integers. Thus according 
to our current state of knowledge of integer factorization, / does satisfy the weaker 
requirement. Convertion between any weak one-way function to a one-way function 
have been shown using "hardness amplification" techniques which expand the size of 
the input by a polynomial factor fjdjj . Using expanders, constant factor expansions 
(of the input size) construction of a one-way function from a weak one-way function 
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is possible [p6| . 

(6) To apply this definition to practice we must typically envisage not a single 
one-way function but a family of them, parameterized by a security parameter k. 
That is, for each value of the security parameter fc, there is a family of functions, 
each defined over some finite domain and finite ranges. The existence of a single 
one-way function is equivalent to the existence of a collection of one-way functions. 

Definition 6 A collection of one-way functions is a set F — {fi : Di Ri}i^i 
where I is an index set, and Di (Ri) are finite domain(range) for i ^ I, satisfying 
the following conditions. 

1. Selection in Collection: 3 PPT algorithm Si that on input 1*^ outputs an i ^ I 
where \i\ — k. 

2. Selection in Domain: 3 PPT algorithm S2 that on input i ^ I outputs x d Di 

3. Easy to Evaluate: 3 PPT algorithm Eval such that for i I and x € Di, 
Eval(i, x) = fi{x). 

4- Hardness to Invert: V PPT adversary algorithm c > 0, 3 fco such that V 
k > ko, 

Pr[A(l^^,/,(a;)) =z : /(a:) = /(z)] < 1 

(the probability is taken over i E Si{l''),x G '5'2(*) and the coin tosses of A). 

The hardness to invert condition can be made weaker by requiring only that 
3c > 0, such that V PPT algorithm A, 3 ko such that y k > kg. Prob[A{l'' ,i, f,{x)) ^ 
z, f{x) = f{z)] > (the probability taken over i e S'i(l*''),x G S2{i) and the coin 
tosses of A). We call collections which satisfy such weaker conditions, collection 
of weak one-way functions. Transformations exist via sampling algorithms between 
both types of collections. 

Another useful and equivalent notion is of a one-way predicate, first introduced 
in This is a Boolean function of great use in encryption and protocol design. 
A one-way predicate is equivalent to the existence of 0/1 problems, for which it is 
possible to uniformly select an instance for which the answer is (or respectively 1), 
and yet for a (pre-selected) instance it is hard to compute with success probability 
greater than i whether the answer is or 1. 

Definition 7 A one-way predicate is a Boolean function B : {0, 1}* {0, 1} for 

which 

1. Sampling is possible: 3 PPT algorithm S that on input v G {0, 1} and , 
outputs a random x such that B{x) = v and x € {0, l}*"'. 

2. Guessing is hard: Vc > 0, V PPT algorithms A, Vfc sufficiently large, Prob[A{x) 
— B{xy\ < ^ + (probability is taken over v £ {0,1}, a; £ S{l'',v), and the 
coin tosses of A). 

Proving the equivalence between one-way predicates and one-way functions is 
easy in the forward direction, by viewing the sampling algorithm S* as a function 
over its coin tosses. To prove the reverse implication is quite involved. Toward this 
goal, the notion of a hard core predicate of a one-way function was introduced in 
||ic| , [7^ . Jumping ahead, hard core predicate of one-way functions yield immediately 
one-way predicates. 
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4.1.1. Hard-core predicates 

The fact that / is a one-way function obviously does not necessarily imply 
that f{x) hides everything about x. It is easy to come up with constructions of 
universal one-way functions in which one of the bits of x leaks from f{x). Even if 
each bit of x is well hidden by f{x) then some function of all of the bits of x can 
be easy to compute. For example, the least significant bit of x is easy to compute 
from fp,g{x) — mod p where p is a prime and g a generator for the cyclic group 
Z*, even though we know of no polynomial time algorithms to compute x from 
fp.gi^)- Similarily, it is easy of compute the Jacobi symbol of x mod n from the 
RSA function RSAn,e{x) = x^ mod n where {e,4>{n)) — 1, even though the fastest 
algorithm to invert RSAn^e needs to factor integer n first, which is not known to 
be a polynomial time computation. 

Yet, clearly there are some bits of information about x which cannot be com- 
puted from /(x), given that x in its entirety is hard to compute. The question 
is, which bits of x are hard to compute, and how hard to compute are they. The 
answer is encouraging. For several functions / for which no polynomial time invert- 
ing algorithm is known, we can identify particular bits of the pre-image of / which 
can be proven (via a polynomial time reduction) to be as hard as to compute with 
probability significantly better than i, as it is to invert / itself in polynomial time. 
Examples of these can be found in 0, |l|, ||, 

More generally, a hard-core predicate for /, is a Boolean predicate about x 
which is efficiently computable given x, but is hard to compute from f{x) with 
probability significantly better than i. 

Definition 8 A hard-core predicate of a function f : {0, 1}* {0, 1}* is a Boolean 
predicate B : {0, 1}* —^ {0, 1}, such that 

1. 3PPT algorithm Eval, such that\/x Eval(x) — B{x) 

2. y PPT algorithm A, Vc > 0, 3fco, s.tVfc > /cq ^r[A{f{x)) = B{x)] <\ + ^■ 
The probability is taken over the random coin tosses of A, and random choices 
of X of length k. 

Yao proposed a construction of a hard-core predicate for any one-way func- 
tion [ [76[ . A considerably simpler construction and proof general result is due to 
Goldreich and Levin p^ . 

Theorem 9 [ p8| Let f be a length preserving one-way function. Define f'{xo r) = 
f{x) o r, where \x\ = \r\ = k, and o is the concatenation function. Then 

B{x or) ^ Y,^^^Xiri{mod 2) 

is a hard-core predicate for f (Notice that if f is one-way then so is f). 

Interestingly, the proof of the theorem can be regarded as the first example of 
a polynomial time list decoding ||6^ algorithm. Essentially B{x,r) may be viewed 
as the rth bit of a Haddamrd encoding of x. The proof of the theorem yields a 
polynomial time error decoding algorithm which returns a polynomial size list of 
candidates for x, as long as the encoding is subject to an error rate of less than 
i — e where e > for some constant c > 0, fc = The length of the list is 0{^). 
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4.2. Trapdoor functions 

A trapdoor function / is a one-way function with an extra property. There also 
exists a secret inverse function (the trapdoor) that allows its possessor to efficiently 
invert / at any point in the domain of his choosing. It should be easy to compute 
/ on any point, but infeasible to invert / with high probability without knowledge 
of the inverse function. Moreover, it should be easy to generate matched pairs of 
/'s and corresponding trapdoor. 

Definition 10 A trapdoor function is a one-way function f : {0,1}* {0,1}* 
such that there exists a polynomial p and a probabilistic polynomial time algorithm 
I such that for every k there exists a tk (z {0, 1}* such that \tk\ < p{k) and for all 
X e {0,l}^ I{f{x),tk) =y such that f {y) = f{x). 

Trapdoor functions arc much harder to locate than one-way function, as they 
seem to require much more hidden structure. An important problem is to establish 
whether one implies the other. Recent results of |^ indicate this may not the case. 

A trapdoor predicate is a one-way predicate with an extra trapdoor property: 
for every fc, there must exist trapdoor information tk whose size is bounded by a 
polynomial in k and whose knowledge enables the polynomial-time computation of 
B{x), for all x G {0, 1}*^. Restating as a collection of trapdoor predicates we get. 

Definition 11 Let I be an index set and for i G /, Di a finite domain. A collection 
of trapdoor is a set B = {Bi : Di — > {0, 1}}^,=/ such that: 

1. 3 PPT algorithm Si which on input l'^ outputs {i,ti) where i ^ I O {0,1}'^, 
and \ti\ < poly{k) ( ti is the trapdoor). 

2. 3 PPT algorithm S2 which on input i £ I ,v £ {0, 1} outputs x £ Di such that 
Bi{x) = V. 

3. 3 PPT algorithm S3 which on input i £ I , x £ Di,ti outputs Bi{x). 

4-. V PPT adversary algorithms A, c> 0, 3k(j,yk > kg, Prob[A{i, x) = Bi(x)] < 
i -|- p- (the probability taken overt € 5'i(l'^),w S {0,1}, a; G S2{i,v), and the 
coins of A). 

The existence of a trapdoor predicate is equivalent to the existence of secure 
public-key encryption as we shall see in the next section. Trapdoor functions imply 
trapdoor predicates, but it is an open problem to show that they are equivalent. 

Claim 12 // trapdoor functions exist then collection of trapdoor predicates exist. 

4.3. Candidate examples of building blocks 

It has been shown by a fairly straightforward diagonalization argument |Q 
how to construct a universal one-way function (i.e. a function which is one-way if 
any one-way function exists). Still this is very inefficient, and concrete proposals for 
one-way function are needed for any practical usage of cryptographic constructions 
which utilized one-way functions. Moreover, looking into the algebraic, combinato- 
rial, and geometric structure of concrete proposals has lead to many insights about 
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what could be true about general one-way functions. The revelation process seems 
almost always to start from proving properties about concrete examples to gener- 
alizing to proving properties on general one-way functions. 

Interesting proposals for one-way functions, trapdoor functions, and trapdoor 
predicates have been based on hard computational problems from number theory, 
coding theory, algebraic geometry, and geometry of numbers. What makes a com- 
putational problem a "suitable" candidate? First, it should be put under extensive 
scrutiny by the relevant mathematical community. Second, the problem should be 
hard on the average and not only in the worst case. A big project in cryptography 
is the construction of cryptographic functions which are provably hard to break on 
the average under some worst-case computational complexity assumption. A central 
technique is to show that a problem is as hard for an average instance as it is for 
a worst case instance by random self reducibility j6|. A problem P is random self 
reducible if there exists a probabilistic polynomial time algorithm that maps any 
instance / of P to a collection of random instances of P such that given solutions to 
the random instances, one can efficiently obtain a solution to the original instance. 
Variations would allow mapping any instance of P to random instances of -P'.0 

Perhaps the most interesting problem in cryptography today is to show (or 
rule out) that the existence of a one-way function is equivalent to the NP ^ BPP. 

For lack of space, we discuss in brief a few proposals. 

4.3.1. Discrete logarithm problem proposal 

Let phe a, prime integer and g a generator for the multiplicative cyclic group 
Z* ^ {1 < y < p\{y-,p) — 1}. The discrete log problem (DLP) is given p,g, and 
y ^ Z*, compute the unique x such that 1 < x < p — 1 and y = g^ mod p. The 
discrete log problem has been first suggested to be useful for key exchange over the 
public channel by Difhc and HcUman . 

The function DL{p, g,x) = {p,g,g^ modp), and the corresponding collection 
of functions DL = {DLp g : Zp-i Z*, DLp,g{x) = mod p}<p,g>g/ where 
/ = {< p,g >,p prime ,g generator} have served as proposals for a one-way func- 
tion and a collection of one-way functions (respectively). On one hand, there exist 
efficient algorithms to select pairs of {p, g) of a given length with uniform probability 
, and to perform modulo exponentiation. On the other hand, the fastest algo- 
rithms to solve the discrete log problem is the generalized number field sieve version 
of the index-calculus method which runs in expected time e((c+o(i))(iogp)^(iogiogp)3) 
(see survey ^^). Moreover, for a fixed prime p, DL(p, g, g^ mod p) can be shown 
as hard to invert on the average over the 1 < x < p — 1 and g generators, as it is 
for every g and x. 

*This technique was first observed and applied to the number theoretic problems of factoring, 
discrete log, testing quadratic residuosity, and the RSA function. In each of these problems, one 
could use the algebraic structure to show how to map a particular input uniformly and randomly 
to other inputs in such a way that the answer for the original input can be recovered from the 
answers for the targets of the random mapping. Showing that polynomials are randomly self 
reducible over finite fields was applied to the low-degree polynomial representations of Boolean 
functions, and has been a central and useful technique in probabilistically checkable proofs. 
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An important open problem is to prove that, without fixing first the prime 
p, solving the discrete log problem for an average instance {p, g, y) is hard on the 
average as in the worst case. 

In the mid-eighties an extension of the discrete logarithm problem over prime 
integers, to computing discrete logarithms over elliptic curves was suggested by 
Koblitz and V. Miller (see survey The attraction is that the fastest algorithms 

known for computing logarithms over elliptic curves are of complexity 0{^Jp) for 
finite field Fp. The main concern is that they have not been around long enough 
to go under extensive scrutiny, and that the intersection between the mathematical 
community who can offer such scrutiny and the cryptographic community is not 
large. 

4.3.2. Shortest vector in integer lattices proposal 

In a celebrated paper [Q Ajtai described a problem that is hard on the av- 
erage if some well-known integer lattice problems are hard to approximate in the 
worst case, and demonstrated how this problem can be used to construct one-way 
functions. Previous worst case to average case reductions were applied to two pa- 
rameter problems and the reduction was shown upon fixing one parameter (e.g. in 
the discrete logarithm problem random self reducibility was shown fixing the prime 
parameter), whereas the Q reduction is the first which averages over all parameters. 

Let y be a set of n linearly independent vectors V — {wi, • • • ,Vn,Vi S TZ}. 
The integer lattice spanned by V is the set of all possible linear combinations of the 
Vi's with integer coefficients, namely L{V) '= '^i'^i '■ o.i £Z for all i}. We call 
V the basis of the lattice L{V). We say that a set of vectors L C 7?." is a lattice if 
there is a basis V such that L = L{V). 

Finding "short vectors" (i.e., vectors with small Euclidean norm) in lattices 
is a hard computational problem. There are no known efficient algorithms to find 
or even approximate - given an arbitrary basis of a lattice - either the shortest 
non-zero vector in the lattice, or another basis for the same lattice whose longest 
vector is as short as possible. Given an arbitrary basis B of a lattice L in R" , the 
best algorithm to approximate (up to a polynomial factor in n) the length of the 
shortest vector in L is the algorithm which approximates these problems to 
within a ratio of 2"/^ in the worst case, and its improvement to ratio (1 -I- e)" 
for any fixed e > 0. 

Ajtai reduced the worst-case complexity of problem (W) which is closely re- 
lated the length of the shortest vector and basis in a lattice, to the average-case 
complexity of problem (A) (version presented here is due to Goldreich, Goldwasser, 
and Halevi [||). 

W : Given an arbitrary basis B of a lattice L, find a set of n linearly independent 
lattice vectors, whose length is at most polynomially (in n) larger than the 
length of the smallest set of n linearly independent lattice vectors. (The length 
of a set of vectors is the length of its longest vector.) 

A : Let parameters n,m,q G Af he such that nlogg < m < and q = 0{n'^) 
for some constant c > 0. Given a matrix M e Z^^™, find a vector x G 
{-1,0, l}"\x^ so that Mx = (mod q). 
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Theorem 13 y, |3J] Suppose that it is possible to solve a uniformly selected instance 
of Problem (A) in expected T(n,m,q) -time, where the expectation is taken over the 
choice of the instance as well as the coin-tosses of the solving algorithm. Then it is 
possible to solve Problem (W) in expected poly(|/|) • T(n, poly(n), poly(n)) time on 
every n-dimensional instance I , where the expectation is taken over the coin-tosses 
of the solving algorithm. 

The construction of a candidate one-way function follows in a straight forward 
fashion. Let M be a random k x m matrix M with entries from Zg, where m and 
q are chosen so that klogq < m < and q = 0{k'^) for some constant c > (fc 
here is the security parameter). 

The one-way function candidate is then /(M, s) — (Af, Ms mod q — SiMi mod 
q) where s = S1S2 • • • Sm € {0, 1}™ and Mi is the i'th column of M. We note that 
this function is regular. 



4.3.3. Factoring integers proposal 

Consider the function Squaring(n,x) = {n,x^inodn) where n = pq for 
p,q €z Z prime numbers and x £ Z*, and the corresponding collection of func- 
tions Squaring =^ {Squaringn{x) = x^ mod n : ^ Z*,n — pq,p,q primes, |p| = 
111 = k}k. This function is easy to compute without knowing the factorization of n, 
and is easy to invert given the factorization of n (the trapdoor) using fast square 
root extraction algorithms modulo prime moduli Q and the Chinese remainder the- 
orem. Moreover, as the primes are abundant by the prime number theorem ^ 
for fc-bit primes) and there exist probabilistic expected polynomial time algorithms 
for primality testing |30, |], it is easy to uniformly select n,p, q of the right form. 



In terms of hardness to invert, Rabin |62[ has shown it as hard to invert as it is 
to factor n as follows. Suppose there exists a factoring algorithm A. Choose r G Z^ 
at random. Let y — A(r'^ mod n). If y ^ r or n — r, then let p = gcdlr — y,n), else 
choose another r and repeat. Within expected 2 trials you should obtain p. The 
asymptotically proven fastest integer factorization algorithm to date is the number 

field sieve which runs in expected time e(('=+°(i))(i°g")*(i°gi°s")^) ||. The hardest 
input to any factoring algorithms are integers n — pq which are product of two 
primes of similar length. Finally, for a fixed n, Squaring{n, •) can be shown as 
hard to invert on the average over x € Z* as it is for any x. We remark, that 
integer factorization has been first proposed as a basis for a trapdoor function in 
the celebrated work of Rivest, Shamir and Adelman ]5^ . 

By choosing p and q to be both congruent to 3 mod 4 and restricting the 
domain of Squaringn to the quadratic residues mod n, this collection of functions 
becomes a collection of permutations proposed by Williams |Q , which are especially 
easy to work with in many cryptographic applications. 

An open problem is to prove that the difficulty of factoring integers is as hard 
on the average as in the worst case. In our terminology an affirmative answer would 
mean that mod n is as hard to invert on the average over n and x, as it is for 
any n and x. 
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4.3.4. Quadratic residues vs. quadratic non residues proposal 

Let n ^ Z . Then we call y e Z* is a quadratic residue mod n iff 3a; G Z*^ such 
that y = mod n. Let us restrict our attention to n = pq where p — q — 3 mod 4. 

Selecting a random quadratic residue mod n is easy by choosing r e Z* and 
computing mod n. Similarily, for such n, selecting a random quadratic non- 
residue is easy by choosing r S Z* and computing n~ r^ mod n (this is a quadratic 
non-residue by the property of the n's chosen). 

On the other hand, deciding whether 2: is a quadratic residue modulo n for 
n composite (which is the case if and only if it is a quadratic residue modulo 
each of its prime factors), seems a hard computational problem. No algorithm 
is known other than first factoring n and then deciding whether a; is a quadratic 

residue modulo all its prime factors. This is easy for a prime modulos by computing 

p— 1 

the Legendre symbol (^) = a;^~ mod p (= 1 iff a; is a quadratic residue mod p). 
The Legendre symbol is generalizable to the Jacobi symbol for composite moduli 
(^) = npQ|„(^)" where n = lip". The Jacobi symbol only provides partial answer 
to whether x mod n is a quadratic residue or not. For x G J^^ = {x G Z*,{^) = 1}, 
it gives no information. 

A proposal by Goldwasser and Micali for a collection of trapdoor predicates 
follows. 

QR = {QRn ■■ Jn^ {0, where I = {n ^ pq\\p, q, primes, \p\ = \q\}, 

„ JO if a; is a quadratic residue mod n 1 

" 1 if a; is a quadratic non- residue mod n J ' 

It can be proved that for every n distinguishing between random quadratic 
residues and random quadratic non residues with Jacobi symbol -1-1, is as hard as 
solving the problem entirely in the worst case. 

Theorem 14 pl| ] Let S G I. If there exists a PPT algorithm which for every 
n Cz S , can distinguish between quadratic residues and quadratic non-residues with 
non-negligible probability over i (probability taken over the x & Z* and the coin 
tosses of the distinguishing algorithm) , then there exist a PPT algorithm which for 
every n € S and every x G Z* decides whether x is a quadratic residue mod n with 
probability close to 1. 



5. Encryption case study 

As discussed in the introduction we would like to propose cryptographic schemes 
for which we can prove theorems guaranteeing the security of our proposals. This 
task includes a definition phase, construction phase and a reduction proof which is 
best illustrated with an example. We choose the example of encryption. 

We will address here the simplest setting of a passive adversary who can tap 
the public communication channels between communicating parties. We will mea- 
sure the running time of the encryption, decryption, and adversary algorithms as a 
function of a security parameter k which is a parameter fixed at the time the cryp- 
tosystem is setup. We model the adversary as any probabilistic algorithm which 
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runs in time bounded by some polynomial in k. Similarily, the encryption and 
decryption algorithms designed are probabilistic and run in polynomial time in k. 

5.1. Encryption: definition phase 

Definition 15 A public-key encryption scheme is a triple, {G,E,D), of probabilis- 
tic polynomial-time algorithms satisfying the following conditions 

1. key generation algorithm : On input 1*^ (the security parameter) algorithm G, 
produces a pair (e, d) where e is called the public key, and d the corresponding 
private key. (Notation: {e,d) G G{l'').) We will also refer to the pair {e,d) a 
pair o/ encryption/decryption keys. 

2. An encryption algorithm: Algorithm E takes as inputs encryption key e from 
the range of G{\^) and string m E {0, l}*^ called the message, and produces 
as output string c € {0, 1}* called the ciphertext. (We use the notation c € 
E{e,m) or the shorthand c G Ef,{m).) Note that as E is probabilistic, it may 
produce many ciphertexts per m,essage. 

3. A decryption algorithm: Algorithm D takes as input decryption key d from the 
range o/ and a ciphertext c from the range of E{e,m), and produces 
as output a string m' € {0, 1}*, such that for every pair (e, d) in the range of 
(7(1*^), for every m, for every c G E{e, m), the prob{D{d, c) ^ m') is negligible. 

4- Furthermore, this system is "secure" (see discussion below ). 

A private-key encryption scheme is identically defined except that e = d. The 
security definition for private-key encryption and public-key encryption are different 
in one aspect only, in the latter e is a public input available to the whereas in the 
former e is a secret not available to the adversary. 

5.1.1. Defining security 

Brain storming about what it means to be secure brings immediately to mind 
several desirable properties. Let us start with the the minimal requirement and 
build up. 

First and foremost the private key should not be recoverable from seeing 
the public key. Secondly, with high probability for any message space, messages 
should not be entirely recovered from seeing their encrypted form and the public 
file. Thirdly, we may want that in fact no useful information can be computed about 
messages from their encrypted form. Fourthly, we do not want the adversary to be 
able to compute any useful facts about traffic of messages, such as recognize that 
two messages of identical content were sent, nor would we want her probability of 
successfully deciphering a message to increase if the time of delivery or relationship 
to previous encrypted messages were made known to her. 

In short, it would be desirable for the encryption scheme to be the mathemat- 
ical analogy of opaque envelopes containing a piece of paper on which the message 
is written. The envelopes should be such that all legal senders can fill it, but only 
the legal recipient can open it. 
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Two definitions of security attempting to capture the "opaque envelope" anal- 
ogy have been proposed in the work of and are in use today: computational 
indistinguishability and semantic security. The first definition is easy to work with 
whereas the second seems to be the natural extension of Shannon's perfect secrecy 
definition to the computational world. They are equivalent to each other as shown 

by 11,0. 

The first definition essentially requires that the the adversary cannot find a pair 
of messages mo, mi for which the probability distributions over the corresponding 
ciphertexts is computationally distinguishable. 

Definition 16 We say that a Public Key Cryptosystem {G, E, D) is computation- 
ally indistinguishable if^ PPT algorithms F, A, and for V constant c > 0, 3ko, V 
k > ko, Vmo,mi G F{l''), |too| = \mi\, 

I Pr[A(e, c) = 1 where (e, d) G G(l''); c G E{e, toq)] 

-PY[A{e,c) = l(e,d) e G(l'=); ce £;(e,mi)]| < l 

Remarks about the definition 

1. In the case of private- key cryptosystem, the definition changes slightly. The 
encryption key e is not given to algorithm A. 

2. Note that even if the adversary know that the messages being encrypted is 
one of two, he still cannot tell the distributions of ciphertext of one message 
apart from the other. 

3. Any cryptosystem in which the encryption algorithm E is deterministic im- 
mediately fails to pass this security requirement, (e.g given e, toq, mi and c it 
would be trivial to decide whether c = E{e, mo) or c = ^^(e, mi) as for each 
message the ciphertext is unique.) 

The next definition is called Semantic Security. It may be viewed as a com- 
putational version of Shannon's perfect secrecy definition. It requires that the ad- 
versary should not gain any computational advantage or partial information from 
having seen the ciphertext. 

Definition 17 We say that an public key cryptosystem {G,E,D) is semantically 
secure if V PPT algorithm A 3 PPT algorithm B , s.t. V PPT algorithm M , V 
function h : M{l'') {0,1}*, Vc > 0, 3ko, Vfc > ka, Pr[A(e, |m|, c) = h{m) \ 
(e, d) e G{1'') ; m e Af(l'^) ; c e E{e, m)] < Pr[B(e, |m|) = h{m) \ m e M{1^)] + 

The algorithm M corresponds to the message space from which messages are 
drawn, and the function h{m) corresponds to information about message m ( for 
example, h{m) = 1 if m has the letter 'e' in it). 

Theorem 18 jsj, ^ A Public Key Cryptosystem is computationally indistinguish- 
able if and only if it is semantically secure. 
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5.2. Encryption: construction phase 

We turn now to showing how to actuaUy build a pubUc key encryption scheme 
which is polynomial time indistinguishable. The construction shown here is by 
Goldwasser and Micali |3^. The key to the construction is to answer a simpler 
problem: how to securely encrypt single bits. Encrypting general messages would 
follow by viewing each message as a string of bits each encrypted independently. 

Given a collection of trapdoor predicates B, we define a public key cryptosys- 
tem {G,E,D)b as follows: 

Definition 19 A probabilistic encryption PEb = (G, E, D) based on trapdoor pred- 
icates B is defined as: 

1. Key generation algorithm G: On input 1^ , G outputs {i,ti) where Bi G B, 
i G {0, 1}*^ and ti is the trapdoor information. The public encryption key is i 
and the private decryption key is ti. ( This is achieved by running the sampling 
algorithm Si from the def of B.) 

2. Let m = mi . . . m„ where nij G {0, 1} be the message. 
E{i,m) encrypts m as follows: 

Ghoose Xj (zR Di such that Bi{xj) — ruj for j — 1, . . . , ti. 

Output C = fi{xi) . . . fi{Xn)- 

3. Let c — yi . . . yk where yi G Di be the cyph ertext. 
D{ti,c) decrypts c as follows: 

Gompute rUj — Bi{yj) for j = 1, . . . , n. 
Output m — mi . . . mn. 

It is clear that all of the above operations can be done in expected polynomial 
time from the definition of trapdoor predicates and that messages can indeed be 
sent this way. 

Let us ignore for a minute the apparent inefficiency of this proposal in band- 
width expansion and computation (which has been addressed by Blum and Gold- 
wasser in [^) and talk about security. It follows essentially verbatim from the 
definition of trapdoor predicates that this system is polynomially time indistin- 
guishable in the case the message is a single bit (i.e. n = 1). Even though every 
bit individually is secure, it is possible in principle that some predicate computed 
on all the bits (e.g. their parity) is easily computable. Luckily, it is not the case. 

We prove polynomial time indistinguishability using the hybrid argument. This 
method is a key proof technique in the theory of pseudo randomness and secure 
protocol design, in enabling to show how to convert a slight "edge" in solving a 
problem into a complete surrender of the problem. 

As this is one of the most straight forward simplest examples of this technique 
we shall give it in full. 

Theorem 20 ||3l|| Probabilistic encryption PEb = (G, E, D) is semantically secure 
if and only if B is a collection of trapdoor predicates. 
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Proof Suppose that (G, E, D) is not indistinguishably secure (i.e. not semantically 
secure). Then there is a c > 0, a PPT A and M such that for infinitely many k, 

3too,toi S M{1'^) with |too| = Ifnil, 



(*) Pr[^(i,c) = 1 where {i,ti) G G(l''); c G E{i,mo 
- PT[A{i, c) = U) e GCl'^); c e E{i, mi)] > - 



where the probability is taken the choice of {i,ti), the coin tosses of A and E. 

Consider k where (*) holds. Wlog, assume that |too| = |mi| = k and that A 
says more often when c is an encryption of mo and 1 more often when c is an 
encryption of mi . 

Define distributions Dj = E{i, Sj) for j = 0, 1, . . . , fc where sq = mo, Sk = mi 
and Sj differs from sj^i in precisely 1 bit. 
Let Pj = Pv[A{i, c) = l|c e r>j]. 

Then Pfe - Po > ^ and since Ej^oC^j+i - P,) = Pfc - Po, 3j such that 

Assume that Sj and Sj+i differ in the Z"" bit; that is, Sj,; ^ Si+i,; or, equiva- 
lently, Sj+i,; = Sj,( where Sj,„ is the u-th bit of Sj. 

Now, consider the following algorithm B which takes input i, y and outputs 
or 1 as its guess to the value of the hard core predicate Bi{y). 

B on input i, y: 

1. Choose yi,...,yk such that Bi{yr) = sj^r for r = 1, . . . , A; using Si from the 
definition of B. 

2. Let c = yi, . . . ,y, . . . ,yk where y has replaced yi in the T"" block. 

3. If j4(1'^, i, , mo, mi, c) = then output Sj,i. 

If A{l'',i, ,mo,mi,c) — then output Sj+u — Sjj. 

Note that c G ^^(i, Sj) if i?i(y) = Sj,j and c G Sj+i) if Bi{y) = Sj+i,;. 

Thus, in step 3 of algorithm B, outputting sj^i corresponds to A predicting 
that c is an encryption of sj. 

Claim Pr[B{i,y) = Bi{y)] > i + 
Proof 

Pv[B{i,fi{y))=Bi{y)] = Pr[Aiz,c) = 0\c e E{i, s,)]Pr[c e E{i, s^)] 

+ Pr[A{i, c) = l|c G E{i, sj+i)] Pr[c G E{i, s,+i)] 

> a-ml) + {Pj+i){l) 



1 1 



2 k'=+'^' 

Thus, B will predict Bi{y) given i, y with probability better than ^ + 
This contradicts the assumption that Bi is a trapdoor predicate. 
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Hence, the probabilistic encryption PE = (G, E, D) is indistinguishably se- 
cure. 



5.3. Strengthening the adversary: non malleable security 

The entire discussion so far has assumed that the adversary can hsten to the 
cipher texts being exchanged over the insecure channel, read the public-file (in the 
case of public- key cryptography) , generate encryptions of any message on his own 
(for the case of public- key encryption), and perform probabilistic polynomial time 
computation. 

One may imagine a more powerful adversary who can intercept messages being 
transmitted from sender to receiver and either stop their delivery all together or 
alter them in some way. Even worse, suppose the adversary can after seeing a 
ciphertext, request a polynomial number of related ciphertexts to be decrypted for 
him. For definitions and constructions of encryption schemes secure against such 
adverdary see g |||, 

6. A constructive theory of pseudo randomness 

A theory of randomness based on computability theory was developed by Kol- 
mogorov, Solomonov and Chaitin ^ This theory applies to individual 
strings and defines the complexity of strings as the shortest program (running on 
a universal machine) that generates that string. A perfectly random string is the 
extreme case for which no shorter program than the length of the string itself can 
generate it. Inherintly, it is impossible to generate perfect random strings from 
shorter ones. 

One of the surprising contributions of cryptographically motivated research 
in the early eighties, has been a theory of randomness computational complexity 
theory pioneered by Shamir |Q Blum and Micali [0, which makes it possible in 
principle to deterministically generate random strings from shorter ones. Not to mix 
notions, we will henceforth refer to this latter development as a theory of pseudo 
randomness, and the strings generated as pseudo random. In contrast, when we 
speak of choosing a truly random string of a fixed length over some alphabet, we 
refer to selecting it with uniform probability over all strings of the same length. In 
this section we shall only speak of binary alphabet. The notation x Eb. {0, l}*^ will 
thus be taken to mean that for every s S {0, 1}'"', the probability of x = s is 1/2*^. 

Defining pseudo-random distributions is a special case of the definition of com- 
putational indistinguishability, which we encountered earlier in the context of secure 
encryption. A distribution over binary strings is called pseudo-random if it is com- 
putationally indistinguishable from the uniform distribution over all binary strings 
of the same length. The idea is that as long as we cannot tell apart samples from the 
uniform distribution from samples of a distribution X in polynomial time , there is 
no difference between using either distributions that can be observed in polynomial 
time. In particular, any probabilistic algorithm, in which the internal coin flips of 
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the algorithm arc replaced by strings sampled from X, must not behave any dif- 
ferent than it would using truly random coin flips. A counter example will yield a 
statistical test to distinguish between X and the uniform distribution. 

A deterministic polynomial time program which 'stretchs' a short input string 
selected with uniform distribution (henceforth called the 'seed'), to a polynomial 
long output string is called a pseudo random sequence generator. When such a 
construction is accompanied with a proof that the output string distribution is 
pseudo random we call the generator a strong pseudo random sequence generator 
(SPRSG).0 

In a culmination of a sequence of results by 0, |7^, H Hastand, 
Impagliazzo, Levin and Luby showed that a necessary and sufRcient condition for 
the existence of strong pseudo random sequence generators is the existence of one- 
way functions. 

The link between one-way functions and pseudo randomness starts from the 
following observation. First, rephrase the fact that inverting one-way functions 
is difficult, by saying that the inverse of a one-way function is unpredictable. In 
particular, the hard-core of a one-way function is impossible to predict with any 
non-negligible probability greater than i. Second, show that impossibility to predict 
is the ultimate test for pseudo randomness. Namely, if a pseudo-random sequence 
generator has the property that it is difficult to predict the next bit from previous 
ones with probability significantly better than ^ in time polynomial in the size of 
the seed, then it is impossible to distinguish in polynomial time between strings 
produced by the pseudo random sequence generators and truly random strings. 
This is proved by turning any statistical test that distinguishes in polynomial time 
pseudo random strings from random strings into polynomial time next bit predictor. 
This link is not conditional on the existence of one-way functions. In fact, in work 
by Nisan and Wigderson [ |57[ they removed the requirement that the pseudo random 
sequence generator has to work in time which is as fast as the algorithm trying to 
distinguish the output sequences from truly random. Generators of this type are 
generally useless for cryptographic applications (as they can not be generated in 
feasible time) but are very useful for proving complexity theoretic results. 

Strong pseudo random generators are useful for understanding the relation 
between deterministic algorithms and probablistic algorithms. The idea which was 
put forth by Yao Q was to replace a single execution of a probablistic polynomial 
time algorithm A with the majority output of all the executions of the same algo- 
rithm, where each execution uses instead of random coins the output of a strong 
pseudo random number generator on a different input seed. The cost of the latter 
deterministic procedure will be a factor of 2'^ longer where k' is the seed length 
used to generate the pseudo random sequences necessary. The algorithm A must 
behave "the same" when it uses truly random coins as when it uses coins which 
are pseudo-random, as otherwise it becomes a distinguisher between the uniform 
and pseudo-random distributions, an impossible task for a probabilistic polynomial 

^ Again the choice of polynomial-time is arbitrary here, a strong pseudo random sequence 
generator can be defined to be a deterministic program which works in time T{n) where n is the 
seed length and is computationally indistinguishable with respect to algorithms which run in time 
T'{n) for time functions T,T'. 
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time algorithm. Putting this together, we get : if one-way functions exist, then 
BPP C r]^DTIME{2^'). This tradeoff between the hardness of inverting the one- 
way function, and randomness replacement, has been followed up with many papers 
in complexity theory each either relaxing the hardness assumption or tightening the 
relation between deterministic and probabilistic complexity classes. 

Strong pseudo random generators are particularly useful for cryptography. 
Suppose you need a large supply of random strings for your cryptographic applica- 
tions (e.g. the choice of secret keys, internal coin tosses of an encryption algorithm, 
etc.). If you use instead of truly random bits, pseudo random sequence generators 
which are weak (e.g. predictable), it may completely destroy the underlying cryp- 
tographic applications [Q. In contrast, we can replace any use of truly random 
coins with strong pseudo random ones (assuming we have access to truly random 
coins for the seeds — which is an interesting discussion all by itself), without fear 
of compromising the security of the underlying application. Indeed, if as a result 
of such replacement the cryptographic application becomes insecure, then a way is 
found to distinguish outputs of SPRG from the uniform distribution. Many classical 
pseudo random number generators which are quite useful and effective for Monte 
Carlo simulations, have been shown not only weak but predictable in a strong sense 
which makes them typically unsuitable for cryptographic applications. For example, 
linear feedback shift registers are well-known to be cryptographically insecure; 
one can solve for the feedback pattern given a small number of output bits, and sim- 
ilarily outputs of linear congruential generators |Q. In Kannan, Lenstra, and 
Lovasz use the algorithm to show that the binary expansion of any algebraic 
number y (such as \/5 = 10.001111000110111...) is insecure, since an adversary 
can identify y exactly from a sufficient number of bits, and then extrapolate y's 
expansion. 



6.1. Pseudo random functions, permutations, and what else? 

Similarily to defining pseudo random sequences one may ask what other ran- 
dom objects can be replaced with pseudo-random counter parts. Goldreich, Gold- 



wasser and Micali |23 considered in this light random functions, which from a gold 
mind for applications. Pseudo random functions are defined to be for every size 
k a subset of all functions from (and to) the binary strings of length fc, which are 
polynomial time indistinguishable from truly random functions by any algorithm 
whose only access to the function is to query it on inputs of its choice. However, 
in contrast with a truly random function, a pseudo random function has a short 
description which if known enables efficient evaluation. 

Let = {/ : {0, 1}'= ^ {0, l}'^} then = . Let W = U,. ^fc- 

Definition 21 A polynomial time statistical test for functions is a polynomial time 
algorithm with access to a black box f from which T can request values of f{x) 
for X of T 's choice. A collection of functions T = [Jf, Fk where C passes 
the statistical test T if yQ e Q[a;],3fco,Vfc > ko \T{Fk) - T{Hk)\ < where 

T{Fk) = Pr/ei.„coms of T[Tf {l"") - 1] and T{Hk) - Pr/eH„co^n. oST[Tf{l'') = 1]. 
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Definition 22 A collection of functions T = IJj, Fk is a pseudo-random coUection 
of functions if 

1. (Indexing) For each k, there is a unique index i G {0, l}*^ associated with each 
f (z Fk- The function f d Fk associated with index i will be written fi . 

2. (Efficiency) There is a polynomial time function A so that A{i,x) — fi{x). 

3. (Pseudo-randomness) T passes all polynomial time statistical tests for func- 
tions. 

Theorem 23 // there exist one-way functions, then there exist pseudo-random 
collections of functions. 

An immediate apphcation of pseudo random functions is the construction of 
semantically secure private key cryptosystem as follows. Let s an index of a pseudo 
random function fs be the joint secret key of the sender Alice and the receiver Bob. 
Then to encrypt message m, Alice selects at random r £ {0, 1}'^, and sets the cipher 
text c = (r, fs{r)®m) where © is the bit- wise exclusive-or of two strings. To decrypt 
c — {a,b), Bob computes fs{a)Q)b. 

Pseudo random functions have been used to derive negative results in compu- 
tational learning theory by Valiant and Kearns jTSf . They show that any concept 
class (i.e. a set of Boolean functions) which contains a family of pseudo random 
functions cannot be efficiently learnable under the uniform distribution and with 
the help of membership queries. A learning algorithm is given oracle access to any 
function in the class and is required to output a description of a function which is 
close to the target function (being queried). 

The work on natural proofs originated by Rudich and Razborov JSSf use pseudo 
random functions to derive negative results on the possibility of proving good com- 
plexity lower bounds using a restricted class of circuit lower bound proofs referred 
to as natural. It is proved that natural (lower bound) proofs cannot be established 
for complexity classes containing a family of pseudo random functions. 

An interesting question is to characterize which classes of random objects can 
be replaced by pseudo random objects. Luby and Rackoff treated the case 
of pseudo random permutations and Naor and Reingold the case of permutations 
with cyclic structure |Q. As any object can be abstracted as a restricted class of 
functions, the real question is what form of access to the function does the statistical 
test have. In the standard definition, the statistical test for functions can query the 
functions at values of its choice. This may not be necessarily the natural choice in 
every case. For example, if the function corresponds to the description of a random 
graph (e.g. f{u, w) = 1 if and only if an edge is present between vertices u and v). 

Define the "ultimate" extension of a statistical test for functions on k bit 
strings, to be given access to the entire truth table of the function (i.e. an exponential 
size input). The following observation is then straightforward. 

Theorem 24 Let f : {0, 1}* — > {0, 1}* be polynomial time computable function, 
for which the fastest inverting algorithm runs in time 2" for some e > 0. Then, 
there exist collections of pseudo random functions which pass all ultimate statistical 
tests for functions. 
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7. Interactive protocols, interactive proofs, and zero 
knowledge interactive proofs 

Secure one-way communication is a special case of general interactive proto- 
cols. The most exciting developments in cryptography beyond public-key cryptog- 
raphy has been the development of interactive protocols, interactive proofs, and 
zero knowledge interactive proofs ^ 76, |3^, ||, 19, ^ Unfortunately, we 



have no space to cover these developments in this article. These topics have been 
surveyed extensively, and the interested reader may turn to ^ . 

A few final words. Generally speaking, an interactive protocol consists of two 
or more parties who cooperate and coordinate without a trusted "third" party to 
accomplish a common goal, referred to as the functionality of the protocol, while 
maintaining the secrecy of their private data. A functionality may be computing a 
simple deterministic function such as majority of the inputs of the communicating 
parties, or a more complicated probabilistic computation such as playing a non- 
cooperative game without a trusted referee. 

In the case of more than two parties, the case of adversarial coalitions of 
participants who attempt to damage the functionality and break secrecy has been 
considered. Very powerful and surprising theorems about the ability of playing 
non-cooperative games without a trusted "third party" have been shown. A sample 
theorem of Benor, Goldwasser, and Wigderson shows that in the presence of an 
adversarial coalition containing less than a third of the parties, any probabilistic 
computation can be performed maintaining functionality and perfect information 
theoretic secrecy of the inputs, as long as each pair of parties can communicate in 
perfect secrecy [|[ These results make extensive use of error correcting codes 
based on polynomials. The connection between these theorems and research in 
game theory and threory of auctions is well worth examining. 
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